fix: fp with goopdate

rules/windows/image_load/image_load_side_load_goopdate.yml

@@ -6,6 +6,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2023/05/20
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -17,19 +18,11 @@ logsource:
 detection:
     selection:
         ImageLoaded|endswith: '\goopdate.dll'
-    filter_main_paths:
-        Image|endswith: '\GoogleUpdate.exe'
+    filter_main_generic:
         ImageLoaded|startswith:
-            - 'C:\Program Files (x86)\Google\'
-            - 'C:\Program Files\Google\'
-    filter_optional_user_paths:
-        Image|endswith: '\GoogleUpdate.exe'
-        ImageLoaded|contains: '\AppData\Local\Google\Update\'
-    filter_optional_dropbox:
-        Image|contains: '\Dropbox'
-        ImageLoaded|startswith:
-            - 'C:\Program Files (x86)\Dropbox\Update\'
-            - 'C:\Program Files\Dropbox\Update\'
+            # Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
+            - 'C:\Program Files (x86)\'
+            - 'C:\Program Files\'
     filter_optional_dropbox_installer_temp:
         Image|contains|all:
             - '\AppData\Local\Temp\GUM'
@@ -39,5 +32,5 @@ detection:
             - '.tmp\\goopdate.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
+    - False positives are expected from Google Chrome installations or third party party chromium browsers running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
 level: medium